Like this:

You can now download an untethered jailbreak for every iDevice running iOS 7.0 to 7.0.4, including the iPhone 5, iPhone 5S, and the latest iPad Air and iPad Mini. Early reports suggest that the Evasi0n jailbreak, released by the Evad3rs group, works perfectly — but due to malware and other possible issues, we cannot recommend that you install it.

There is a lot of controversy surrounding both the development and release of this first iOS 7 jailbreak, and an internal source at Evad3rs tells ExtremeTech that the jailbreak contains “Chinese malware” — a prominent placement that reportedly netted a “high six figure” payment for the Evad3rs. Furthermore, with iOS 7.1 due to land any day now, there is concern that the Evasi0n jailbreak gives up the zero-day vulnerability too soon, allowing Apple to quickly plug the hole. Never has an iOS jailbreak been so entangled by such a contentious crud storm. Read on to find out more.

The Evasi0n7 jailbreak, released last night by the Evad3rs, is an untethered jailbreak for all devices running iOS 7, from 7.0 to 7.0.4, and can be performed from any PC running Windows or OS X. This means that the iOS 7 jailbreak works for older devices like the iPhone 4 and 4S, but more importantly it supports the iPhone 5 and 5S, iPad 2 and later, iPod fifth gen and later, and the iPad Mini — Apple’s newer iDevices that, for various reasons including the newer A5, A6, and A7 SoCs and advanced security measures in the firmware and boot ROM, have proven very hard to jailbreak. Don’t get me wrong, the Evasi0n jailbreak is some seriously impressive work — but it’s the situation around the jailbreak that we need to discuss, before you go ahead and jailbreak your iPhone or iPad.

Evasi0n 7, iOS 7 jailbreak

Before we dive into the controversy surrounding the Evasi0n jailbreak of iOS 7, we should preface this by saying that there’s a lot of misinformation floating around right now. Due to the secretive (and as it turns out, highly lucrative) nature of jailbreaks, it’s hard to come by trusted and veritable sources of information. We’ll try our best to report what we know to be true, and rumors and reports that are probably true. That’s the best we can do at this point.

Cydia vs. China

The Chinese Taig app store
Taig
As you probably know, most jailbreaks (Evasi0n, Redsn0w) come bundled with Cydia — an alternative app store for jailbroken iPhones, iPads, and the iPod touch. This version of Evasi0n, however, comes with Taig — a Chinese app store. From our internal source, it seems that the Evad3rs negotiated with both app stores for inclusion in the jailbreak, but Taig offered more money, netting a payout for the Evad3rs that was “in the high six figures.” Cydia’s lead developer, Jay “Saurik” Freeman said on Twitter he simply couldn’t beat Taig’s offer: “… [The] closest I came had me potentially losing money I didn’t have.”

Since the jailbreak’s release, Evad3rs has come under fire because the Taig app store lists a lot of pirate software. While Cydia doesn’t prevent you from installing pirated software, it does try to discourage you. Furthermore, we’re told by our source at Evad3rs that the jailbreak contains “Chinese malware.” We’re not sure if this refers to the Taig app store itself, or if there’s another piece of nefarious software that’s hidden in the jailbreak. Until it’s entirely clear, you should probably refrain from installing the jailbreak.

Selling out

One of the overarching themes with the Evasi0n7 jailbreak, and probably the reason why there’s so much blood in the water, is that it was rushed out the door. According to the Evad3rs, Cydia’s Saurik, after being rebuffed, “was working with another group to release a jailbreak ahead of us.” Because there’s a lot of money to be made from jailbreaks (around $100k in donations, according to Saurik), there is a big incentive to be first. The Evad3rs’ six-figure deal with Taig was probably contingent on them being first, too.

Geohot, with his Xiaomi Mi3 smartphone
Geohot returns, with a Xiaomi Mi3 smartphone stuck to his forehead. Who can ever forget those penetrating eyes?
As for who the Evad3rs were competing against, it was none other than Geohot — George Hotz, of original iPhone, Limera1n, and PlayStation 3 jailbreak fame. Judging by his new Twitter account, it seems he was getting very close to releasing his own ra1n jailbreak. “Sale was never going to happen … actually registered the new ra1n domain last night… but congrats to evad3rs, i can’t always win :p”.

Considering the scrutiny that the Evasi0n jailbreak is under right now, though, it sounds like Geohot and Saurik should probably work together to release a clean, piracy-free jailbreak in the next few days or weeks — preferably after Apple has released iOS 7.1, which contains a number of eagerly awaited tweaks and fixes.

EMC-owned RSA Security has denied reports that the company had entered into secret contracts with the NSA worth $10 million to use the flaws Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) as the default pseudorandom number generator for the company’s encryptions products.

Over the weekend, sources told Reuters that as part of the US National Security Agency’s (NSA) efforts to promote Dual_EC_DRBG, the use of the algorithm by RSA allowed the agency to point to its usage within government to help push for its inclusion in the National Institute of Standards and Technology’s Recommendation for Random Number Generation Using Deterministic Random Bit Generators (PDF).

“Recent press coverage has asserted that RSA entered into a ‘secret contract’ with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation,” RSA responded today in a blog post.

RSA said it made the decision to use Dual_EC_DRBG as the default in 2004, and that the algorithm was only one of a number of algorithms available to its users.

“RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use,” the company said.

Dual_EC_DRBG has been under fire as a questionable cryptographic algorithm for much of its existence. In November 2007, security expert Bruce Schneier detailed the flaws in the algorithm’s use of secret constants.

“If you know the secret numbers, you can predict the output of the random number generator after collecting just 32 bytes of its output,” Schneier wrote.

“To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.”

In September, the National Institute of Standards and Technology (NIST) recommended against the use (PDF) of Dual_EC_DRBG. Following that recommendation, RSA did the same. Memos from the documents released by Edward Snowden, and seen by The New York Times, said that Dual_EC_DRBG contained a backdoor for the NSA.

Target is grappling with a data security nightmare that threatens to drive off holiday shoppers during the company’s busiest time of year.

The nation’s second largest discounter said Thursday that data connected to about 40 million credit and debit card accounts was stolen as part of a breach that began over the Thanksgiving weekend.

The data theft marks the second largest credit card breach in the U.S. after retailer TJX announced in 2007 that at least 45.7 million credit and debit card users were exposed to credit card fraud.

Target’s acknowledgement came a day after news reports surfaced that the discounter was investigating a breach.

The chain said customers who made purchases by swiping their cards at terminals in its U.S. stores between Nov. 27 and Dec. 15 may have had their accounts exposed. The stolen data includes customer names, credit and debit card numbers, card expiration dates and the three-digit security codes located on the backs of cards.

The data breach did not affect online purchases, the company said.

The stolen information included Target store brand cards and major card brands such as Visa and MasterCard.

The Minneapolis company, which has 1,797 stores in the U.S. and 124 in Canada, said it immediately told authorities and financial institutions once it became aware of the breach on Dec. 15. The company is teaming with a third-party forensics firm to investigate and prevent future breaches.

The breach is the latest in a series of technology crises for Target. The company faced tough criticism in late 2011 after it drummed up hype around its offerings from Italian designer Missoni only to see its website crash. The site was down most of the day the designer’s collection launched. The company angered customers further with numerous online delays for products and even order cancellations.

But the credit card breach poses an even more serious problem for Target and threatens to scare away shoppers who worry about the safety of their personal data.

“A data breach is of itself a huge reputational issue,” said Jeremy Robinson-Leon, a principal at Group Gordon, a corporate and crisis public relations firm. He noted that Target needs to send the message that it’s rectifying the problem and working with customers to answer questions. He believes Target should have acknowledged the problem on Wednesday rather than waiting until early Thursday.

“This is close to the worst time to have it happen,” Robinson-Leon said. “If I am a Target customer, I think I would be much more likely to go to a competitor over the next few days, rather than risk the potential to have my information be compromised.”
Target advised customers on Thursday to check their statements carefully. Those who see suspicious charges on the cards should report it to their credit card companies and call Target at 866-852-8680. Cases of identity theft can also be reported to law enforcement or the Federal Trade Commission.

“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” Chairman, President and CEO Gregg Steinhafel said in a statement Thursday.

Many displeased Target customers left angry comments on the company’s Facebook page. Some threatened to stop shopping at the store. Many customers complained they couldn’t get through to the call center and couldn’t get on Target’s branded credit card website. Target apologized on its Facebook page and said it is “working hard” to resolve the issue and is adding more workers to field the calls and help solve website issues.

Christopher Browning, 23 of Chesterfield, Va., said was the victim of credit card fraud earlier this week and he believes it was tied to a purchase he made at Target with his Visa card on Black Friday. However, he called Visa Thursday and the card issuer couldn’t confirm. He says he hasn’t been able to get through Target’s call center.

On Monday, Browning received a call from his bank’s anti-fraud unit saying that there were two attempts to use his credit card in California — one at a casino in Tracey, Calif. for $8,000 and the other at a casino in Pacheco, for $3,000. Both occurred on Sunday and both were denied. He canceled his credit card and plans to use cash. Although Browning has no proof, he says he believes the fraud was tied to his Black Friday purchase at Target.

“I won’t shop at Target again until the people behind this theft are caught or the reasons for the breach are identified and fixed,” said Browning.

Brianna Byrnes, 22, of Kansas City, Mo., a student at the University of Missouri-Kansas City and a call center worker, said she made a Target purchase during the affected period.

She said the situation made her “a little bit” nervous but was still planning to shop for toys at the retailer.

“I’ve never had anyone steal my identity. I guess it’s taking a risk.”

The incident is particularly troublesome for Target because it has used its branded credit and debit cards as a marketing tool to lure shoppers with a 5 percent discount.

The company said during its earnings call in November that as of October some 20 percent of store customers have the Target branded cards. In fact, households that activate a Target-branded card have increased their spending at the store by about 50 percent on average, the company said.

“This is how Target is getting more customers in the stores,” said Brian Sozzi, CEO and Chief Equities Strategist. “It’s telling people to use the card. It’s been a big win. If they lose that trust, that person goes to Wal-Mart.”

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn’t know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet’s next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

“We were like, ‘Okay, we’re totally owned,'” Ruiu told Ars. “‘We have to erase all our systems and start from scratch,’ which we did. It was a very painful exercise. I’ve been suspicious of stuff around here ever since.”

In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that’s able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine’s inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such asProcess Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping “airgaps” designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

“We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD,” Ruiu said. “At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys.”

Over the past two weeks, Ruiu has taken to Twitter, Facebook, and Google Plus to document his investigative odyssey and share a theory that has captured the attention of some of the world’s foremost security experts. The malware, Ruiu believes, is transmitted though USB drives to infect the lowest levels of computer hardware. With the ability to target a computer’s Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), and possibly other firmware standards, the malware can attack a wide variety of platforms, escape common forms of detection, and survive most attempts to eradicate it.

But the story gets stranger still. In posts here, here, and here, Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: “badBIOS,” as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps.

Bigfoot in the age of the advanced persistent threat

At times as I’ve reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he’s beginning to draw. (A compilation of Ruiu’s observations is here.)

Also unexplained is why Ruiu would be on the receiving end of such an advanced and exotic attack. As a security professional, the organizer of the internationally renowned CanSecWest and PacSecconferences, and the founder of the Pwn2Own hacking competition, he is no doubt an attractive target to state-sponsored spies and financially motivated hackers. But he’s no more attractive a target than hundreds or thousands of his peers, who have so far not reported the kind of odd phenomena that has afflicted Ruiu’s computers and networks.

In contrast to the skepticism that’s common in the security and hacking cultures, Ruiu’s peers have mostly responded with deep-seated concern and even fascination to his dispatches about badBIOS.

“Everybody in security needs to follow @dragosr and watch his analysis of #badBIOS,” Alex Stamos, one of the more trusted and sober security researchers, wrote in a tweet last week. Jeff Moss—the founder of the Defcon and Blackhat security conferences who in 2009 began advising Department of Homeland Security Secretary Janet Napolitano on matters of computer security—retweeted the statement and added: “No joke it’s really serious.” Plenty of others agree.

“Dragos is definitely one of the good reliable guys, and I have never ever even remotely thought him dishonest,” security researcher Arrigo Triulzi told Ars. “Nothing of what he describes is science fiction taken individually, but we have not seen it in the wild ever.”

Been there, done that

Triulzi said he’s seen plenty of firmware-targeting malware in the laboratory. A client of his once infected the UEFI-based BIOS of his Mac laptop as part of an experiment. Five years ago, Triulzi himself developed proof-of-concept malware that stealthily infected the network interface controllersthat sit on a computer motherboard and provide the Ethernet jack that connects the machine to a network. His research built off of work by John Heasman that demonstrated how to plant hard-to-detect malware known as a rootkit in a computer’s peripheral component interconnect, the Intel-developed connection that attaches hardware devices to a CPU.

It’s also possible to use high-frequency sounds broadcast over speakers to send network packets. Early networking standards used the technique, said security expert Rob Graham. Ultrasonic-based networking is also the subject of a great deal of research, including this project by scientists at MIT.

Of course, it’s one thing for researchers in the lab to demonstrate viable firmware-infecting rootkits and ultra high-frequency networking techniques. But as Triulzi suggested, it’s another thing entirely to seamlessly fuse the two together and use the weapon in the real world against a seasoned security consultant. What’s more, use of a USB stick to infect an array of computer platforms at the BIOS level rivals the payload delivery system found in the state-sponsored Stuxnet worm unleashed to disrupt Iran’s nuclear program. And the reported ability of badBIOS to bridge airgaps also has parallels to Flame, another state-sponsored piece of malware that used Bluetooth radio signals to communicate with devices not connected to the Internet.

“Really, everything Dragos reports is something that’s easily within the capabilities of a lot of people,” said Graham, who is CEO of penetration testing firm Errata Security. “I could, if I spent a year, write a BIOS that does everything Dragos said badBIOS is doing. To communicate over ultrahigh frequency sound waves between computers is really, really easy.”

Coincidentally, Italian newspapers this week reported that Russian spies attempted to monitor attendees of last month’s G20 economic summit by giving them memory sticks and recharging cables programmed to intercept their communications.

Eureka

For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.

“The suspicion right now is there’s some kind of buffer overflow in the way the BIOS is reading the drive itself, and they’re reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table,” he explained.

He still doesn’t know if a USB stick was the initial infection trigger for his MacBook Air three years ago, or if the USB devices were infected only after they came into contact with his compromised machines, which he said now number between one and two dozen. He said he has been able to identify a variety of USB sticks that infect any computer they are plugged into. At next month’s PacSec conference, Ruiu said he plans to get access to expensive USB analysis hardware that he hopes will provide new clues behind the infection mechanism.

He said he suspects badBIOS is only the initial module of a multi-staged payload that has the ability to infect the Windows, Mac OS X, BSD, and Linux operating systems.